Privacy groups complain to FTC over Facebook privacy tweaks

Fifteen privacy organizations filed a complaint with the FTC this week over …

The Electronic Privacy Information Center (EPIC) is taking its beef with Facebook's privacy policies to the Federal Trade Commission once again. A new complaint comes in the wake of Facebook's latest updates to its privacy policy. According to EPIC and 14 other consumer groups, Facebook's decision to open up even more personal information as "public" is a violation of user expectations, it diminishes privacy, and it contradicts Facebook's own representations about how the service works.

In the complaint, which was filed on Wednesday, the groups accused Facebook of engaging in unfair and deceptive trade practices and violating consumer protection laws. In addition to the 38-page document (PDF) submitted to the FTC, EPIC also sent a letter (PDF) to Congress, asking members of the Senate and House to keep a close eye on the Commission's investigation into Facebook.

"Facebook continues to manipulate the privacy settings of users and its own privacy policy so that it can take personal information provided by users for a limited purpose and make it widely available for commercial purposes," reads the letter. "The company has done this repeatedly and users are becoming increasingly angry and frustrated."

This new complaint will be stacked on top of a previous complaint from EPIC filed in December, along with numerous others filed by other organizations (such as the Electronic Frontier Foundation). The groups have expressed their frustration over the FTC's inability to move quickly on these issues, but indicated that they still hold out hope that the Commission can take steps to protect user privacy on behalf of Facebook's userbase.

Update: Facebook responded to the complaint by noting once again that it believes it's working within legal limits by pushing out its latest feature set. "Our new features are providing beneficial new social experiences to people around the world that are transparent, consistent with user expectations, and in full compliance with legal requirements," Facebook spokesperson Andrew Noyes told Ars.

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui

42 Reader Comments

About time that someone stood up for us! I am sick and tired of Facebook deciding that it can change their privacy policies and use our personal information for their commercial gain. I understand they need to make money ... but Google makes money and they don't have to sell our personal information.

It's their service, and they don't charge money for it. How does that make it any part of the FTC's bailiwick? Unless there are privacy laws that are applicable, I don't see how they can come down on them. Not only that, if there is a privacy law that is applicable, the FTC wouldn't be the agency to enforce it. I am guessing that some sort of law will need to be passed to address this issue. In the meantime, it's all hogs to the trough! If people are stupid enough to stay on Facebook, they pretty much are going to be taken advantage of.

It's their service, and they don't charge money for it. How does that make it any part of the FTC's bailiwick?

The service is presented in one manner, and advertised as such. It then turns out that the service behaves in a different way. On some level this is false advertising, which is within the realm of the FTC.

Otherwise I agree with you. I'm not on Facebook myself but I would consider it if they had reasonable policies about using my private data.

You can use Firefox's Adblock Plus add-on (https://addons.mozilla.org/en-US/firefox/addon/1865) to prevent other sites from accessing Facebook in any way (e.g., fetching personal data, installing FB apps, running FB-supplied Javascript, etc.) by creating the following four Adblock Plus filters:

The above filters tell Firefox never to allow any site other than Facebook's four sites (facebook.com, facebook.net, fbcdn.com, and fbcdn.net) to access Facebook. Thus, Facebook continues to work perfectly, but other sites don't get to talk to Facebook at all.

You still need to set your FB privacy settings for purely internal-to-FB privacy, but no future (secret) agreement between FB and some random Web site can expose your FB data to that site.

You can use Firefox's Adblock Plus add-on (https://addons.mozilla.org/en-US/firefox/addon/1865) to prevent other sites from accessing Facebook in any way (e.g., fetching personal data, installing FB apps, running FB-supplied Javascript, etc.) by creating the following four Adblock Plus filters:

The above filters tell Firefox never to allow any site other than Facebook's four sites (facebook.com, facebook.net, fbcdn.com, and fbcdn.net) to access Facebook. Thus, Facebook continues to work perfectly, but other sites don't get to talk to Facebook at all.

You still need to set your FB privacy settings for purely internal-to-FB privacy, but no future (secret) agreement between FB and some random Web site can expose your FB data to that site.

The complaint from EPIC to the FTC seems to be pretty well put together. After reading the whole thing I can understand where their complaint presents a fair and decent argument. Such practices as described in the complaint are adverse or detrimental to the users privacy and are decpetively implemented and are within the rhelm of the FTC. However, only time will tell if such a complaint is acted on by the FTC.

People should have learned by now even when free becomes popular there is always someone who wants to start making money from it. Servers cost money, bandwidth costs money, storage costs money, the employees at FaceBook cost money, did anyone really think that all this was going to be given out of love for their fellow man? No one expends this type of money unless they get something in return. Why anyone would have ever thought that at some point FaceBook would not try to capitalize on the presence of millions of pieces of personal information to make a buck is beyond me. One of the most astute observations ever made was by P.T. Barnum who is credited with the phrase "There's a sucker born every minute"

You can use Firefox's Adblock Plus add-on (https://addons.mozilla.org/en-US/firefox/addon/1865) to prevent other sites from accessing Facebook in any way (e.g., fetching personal data, installing FB apps, running FB-supplied Javascript, etc.) by creating the following four Adblock Plus filters:

The above filters tell Firefox never to allow any site other than Facebook's four sites (facebook.com, facebook.net, fbcdn.com, and fbcdn.net) to access Facebook. Thus, Facebook continues to work perfectly, but other sites don't get to talk to Facebook at all.

You still need to set your FB privacy settings for purely internal-to-FB privacy, but no future (secret) agreement between FB and some random Web site can expose your FB data to that site.

The network effects make facebook hard to avoid. This probably varies depending on where you live, but where I live facebook market penetration has to be about the same as internet market penetration. Everyone uses it for everything social. From grandmothers to children. It is so widely used people do not even think to use other means of communication any more.

Based on my experience: - Want to know about a party? - the event is only on facebook - Hook up on someone at the bar? - they want to contact you through facebook. - Want to see the pictures your cousin's baby? - they are only posted to facebook. - Want to send a friend a message? - people check their facebook many times a day and check their email once a week or so, do you want a reply this week? - Want to go out friday night? - it is planned through facebook.

Sure you can not use facebook, but it is social suicide. People expect you to have facebook. Sure it is fine to blow off a repeat hookup with some bar rat because you don't have facebook to communicate with them, but not getting an invite to your grandmother's Sunday dinner is harder to ignore. And from the average person's perspective you are being rude for not having facebook "Why do you think you are so special that I need to give you a personal invite to the party? Just get facebook like everyone else and stop being a hassle.". It is sad but in my city if you aren't using facebook you have no social life.

"but Google makes money and they don't have to sell our personal information."

Wow, perhaps you are familiar with a Google service known as AdWords. They are not only selling your personal information for money, its one of the only consistent sources of revenue for Google, and makes up the lion share of their profit. It is every persons responsibility to protect their own data from private entities. We have a reasonable expectation of privacy from the government, we do not have a reasonable expectation of privacy from private companies whose services you partonize. This would be like outrage over a stadium counting how many people enter with turnstiles, and use that information to sell space in the stadium to vendors.

Yes, I know all the guff about "IF YOU HAVE SOMETHING YOU DON'T WANT THE WORLD TO KNOW, THEN DON'T PUT IT ON FACEBOOK!" and I made my dutiful rant comment at http://is.gd/bZjz1

But for me, it boils down to this. When I first got a FB userid, it was with the understanding I could list "interests" and other PII for sharing among *explicitly chosen* "friends". I believe, recent changes have much enlarged the range of this sharing, beyond my immediate consent or control. I object, but I think the FB team believes most of its users enjoy the decreased privacy.

So I blanked out my PII (which I suspect had not much effect), then changed all privacy levels to "Only me", then after a week, "deactivated" my userid. (I understand there is a way to fully cancel, but I didn't know, at the time.)

We have a reasonable expectation of privacy from the government, we do not have a reasonable expectation of privacy from private companies whose services you partonize. This would be like outrage over a stadium counting how many people enter with turnstiles, and use that information to sell space in the stadium to vendors.

I think privacy is really one of those slippery-slope issues, none of use really know what is going behind the scenes. We already know that grocery stores collect and resell aggregate consumer spending info. But imagine if someone bought a book from Amazon about depression, and suddenly they started getting direct-to-consumer marketing flyers in their mail from pharma, most people would be alarmed by that.

Anyway, Facebook and Google are not selling books or stadium seats, but user information and advertising as you noted, so any privacy analogies will be inexact. However, keeping information away from private entities is incredibly difficult nowadays. I'm sure if we unleashed a Google spider to crawl the Ars forum, half the time it could probably guess the real-life identities using the content of our posts (where we live/work/play, what tech/movies/games we enjoy) and linking them to social networking profiles, publicly accessible mailing list archives, resume postings, user-generated reviews, etc... even if we are careful about we post on any individual site.

And it's not just individual actions, your friends in Facebook can also upload embarrassing drunken photos of you to their accounts, and link it to your profile.

The network effects make facebook hard to avoid. This probably varies depending on where you live, but where I live facebook market penetration has to be about the same as internet market penetration. Everyone uses it for everything social. From grandmothers to children. It is so widely used people do not even think to use other means of communication any more.

Based on my experience: - Want to know about a party? - the event is only on facebook - Hook up on someone at the bar? - they want to contact you through facebook. - Want to see the pictures your cousin's baby? - they are only posted to facebook. - Want to send a friend a message? - people check their facebook many times a day and check their email once a week or so, do you want a reply this week? - Want to go out friday night? - it is planned through facebook.

Sure you can not use facebook, but it is social suicide. People expect you to have facebook. Sure it is fine to blow off a repeat hookup with some bar rat because you don't have facebook to communicate with them, but not getting an invite to your grandmother's Sunday dinner is harder to ignore. And from the average person's perspective you are being rude for not having facebook "Why do you think you are so special that I need to give you a personal invite to the party? Just get facebook like everyone else and stop being a hassle.". It is sad but in my city if you aren't using facebook you have no social life.

I'm sure if we unleashed a Google spider to crawl the Ars forum, half the time it could probably guess the real-life identities using the content of our posts (where we live/work/play, what tech/movies/games we enjoy) and linking them to social networking profiles, publicly accessible mailing list archives, resume postings, user-generated reviews, etc... even if we are careful about we post on any individual site.

I hate to break it to you, but Google has been spidering the forums for a couple years now. I have a daily alert on my username and real name, and I frequently get notifications about posts that I make here.

It's their service, and they don't charge money for it. How does that make it any part of the FTC's bailiwick?

The service is presented in one manner, and advertised as such. It then turns out that the service behaves in a different way. On some level this is false advertising, which is within the realm of the FTC.

Otherwise I agree with you. I'm not on Facebook myself but I would consider it if they had reasonable policies about using my private data.

I'm not sure they are covered by this as they don't charge for their service.Also, as long as they have a way to turn it off, even if it is kind of difficult, I think they are ok there too. I think the key words are material, and commerce. Commerce might be covered if they are selling bad data to their customers. The customers would be the victims there, not the facebook users though.

I have never had a Facebook account though, for the same reason you don't. I don't trust them, and they keep changing the rules.

"A. Consumer Protection

The basic consumer protection statute enforced by the Commission is Section 5(a) of the FTC Act, which provides that "unfair or deceptive acts or practices in or affecting commerce...are...declared unlawful." (15 U.S.C. Sec. 45(a)(1)). Safe Web amended Sec. 5(a) "unfair or deceptive acts or practices" to include such acts or practices involving foreign commerce that cause or are likely to cause reasonably foreseeable injury within the United States or involve material conduct occurring within the United States.

"Unfair" practices are defined as those that "cause[] or [are] likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition" (15 U.S.C. Sec. 45(n))."

It is my personal belief that the issue with facebook is more that it continuously changes it's policy on privacy whenever it believes that it can get away with it. If FaceBook took its clear stance on privacy in the outset, it would not be an issue. People who did not agree with that stance would leave, and people who were okay with it (personal opinion: being treated like open books with their friends forced to be known to everyone meet) would stay.

The network effects make facebook hard to avoid. This probably varies depending on where you live, but where I live facebook market penetration has to be about the same as internet market penetration. Everyone uses it for everything social. From grandmothers to children. It is so widely used people do not even think to use other means of communication any more.

Based on my experience: - Want to know about a party? - the event is only on facebook

They said that about MySpace, too. Remember them? I think only musicians care much about them any more.

I'm still on FB, but my info is quite limited. All of my friends are also removing info. Good luck selling content that no longer exists, FB

Sure you can not use facebook, but it is social suicide. People expect you to have facebook. Sure it is fine to blow off a repeat hookup with some bar rat because you don't have facebook to communicate with them, but not getting an invite to your grandmother's Sunday dinner is harder to ignore. And from the average person's perspective you are being rude for not having facebook "Why do you think you are so special that I need to give you a personal invite to the party? Just get facebook like everyone else and stop being a hassle.". It is sad but in my city if you aren't using facebook you have no social life.

This is one of the saddest comments I ever read. What kind of friends or grandmother do you have who do you not value you enough to send an email or give a phone call for an invite?

Everyone who is tech-savvy has friends (hopefully) that are not very technically-inclined. Facebook is one of the places you "have" to go to to deal with those friends. Facebook is probably fairly aware that the majority of their users are not the same demographic that say, reads ArsTechnica. They use this to their advantage.

Ah yes, the age of nonaccountability. People publish all sorts of sordid information on the 'net and then get pissed at other people that it's available.

Idiots.

Realize that some of the information on FaceBook that is available now was not available before. You should be able to post something on the internet and expect some privacy if you are granted privacy (and anyone who says otherwise is using that as an excuse, especially if you are told that your information will be private), the same as you should be able to talk on the phone and not have to assume that your next door neighbor is wiretapping you, or send a text message and not have to assume that your phone company is reading it, or send an email and expect that neither your contact list nor the email service provider can read it.

People who have not removed their information after their privacy was violated and still find issue may fall into your description category.

Sure you can not use facebook, but it is social suicide. People expect you to have facebook. Sure it is fine to blow off a repeat hookup with some bar rat because you don't have facebook to communicate with them, but not getting an invite to your grandmother's Sunday dinner is harder to ignore. And from the average person's perspective you are being rude for not having facebook "Why do you think you are so special that I need to give you a personal invite to the party? Just get facebook like everyone else and stop being a hassle.". It is sad but in my city if you aren't using facebook you have no social life.

Your not serious. Tell me that this was a joke. Just what city do you live in? Lets drop a nuke on that city now. You mean your own GrandMother will not have any personal interaction with you? A bar rat is so shallow as to not see you again if you don't have FaceBook? This is just beyond sad. You need to get a real life, with real people, with real personal interaction, your the person that needs to get away from FaceBook, back away from the computer, drop the mouse, NOW!

The problem is stuff on FB that is not embarrassing but that I don't want exposed - my hometown, name, cell phone number, and a list of all my friends. It makes identity theft easy, but the only reason I use FB is as a self-updating address book. I don't think it's unreasonable to expect that the site should at least respect that level of privacy - those certainly are the conditions under which I shared the information with them in the first place.

What a conundrum. I'm not particularly attached to Facebook itself, but I have yet to find a service that offers similar features with as wide an audience. It just doesn't exist [yet]. I'm not a huge poster, and I don't follow people much, but it does let me stay in contact with co-workers and friends I don't see often easily. It lets me share, and lets them share with me on our own time, and we are quite the spread out bunch these days. I have found that it has increased the depth of these people in real life, as it lets me stay more connected to them when I otherwise wouldn't be as easily able to. Facebook is less intrusive to me than if they all were CCing the same things to my email address all the time. I'm unhappy with the changes that are exposing more of my info than I want, yet unwilling to quit because it does provide me a valuable service I can't get elsewhere...

There is a new social network coming to us later this year and its founding is heavily based on a dedication to privacy and all of the other nice features we like about social networks. Check out the project. I would love to see them beat Facebook.

This would be like outrage over a stadium counting how many people enter with turnstiles, and use that information to sell space in the stadium to vendors.

NO IT'S NOT. That's the worst example. Your example doesn't take into account ANY personal data. The Facebook equivalent of what you just said would be FB counting how many active users log in, which it does often and setting up ads for those people to see - which it also does. This isn't what the complaints are about.

This is one of the saddest comments I ever read. What kind of friends or grandmother do you have who do you not value you enough to send a carrier pigeon or give a telegram for an invite?

T,FTFY as far as some FB users are concerned...

I definitely have friends that use FB messages more than email. It's what happens when one popular service overtakes another, just like the telephone replaced the telegram.

BTW, I don't know anyone that would call each person they want to invite to a party when the list is more than a couple people. This has been the case for at least decade now.

Um, well, I'm sure my mom (in her late 60s) still does that. I'm pretty sure less than 5% of her friends/acquaintances of a similar age are on facebook.

In general: my wife's finding the same problem. She's a teacher at a primary school (k-2) and she basically got a facebook account just to get invited to events, etc.. But, neither one of us are very active on there (when you have 2 little kids, and full-time jobs, there just isn't that much time left.. )

And no, we don't give a (insert expletive of choice) who just found a (insert object of choice) on farmville..